Analysis Overview
SHA256
3c03c8d5dd4d8ee05f058b795c25c706444eac15fb4e2e444580fe3abe3d544a
Threat Level: Known bad
The file 2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobaltstrike
Xmrig family
xmrig
XMRig Miner payload
Detects Reflective DLL injection artifacts
Cobaltstrike family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 01:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 01:44
Reported
2024-06-01 01:47
Platform
win7-20240221-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OkYKAza.exe | N/A |
| N/A | N/A | C:\Windows\System\zubfBXq.exe | N/A |
| N/A | N/A | C:\Windows\System\EQKNDQw.exe | N/A |
| N/A | N/A | C:\Windows\System\HgnpwOc.exe | N/A |
| N/A | N/A | C:\Windows\System\SqJjBOA.exe | N/A |
| N/A | N/A | C:\Windows\System\OyNokrd.exe | N/A |
| N/A | N/A | C:\Windows\System\haJhwgw.exe | N/A |
| N/A | N/A | C:\Windows\System\QFcUbtW.exe | N/A |
| N/A | N/A | C:\Windows\System\THpORPe.exe | N/A |
| N/A | N/A | C:\Windows\System\aHxjHMd.exe | N/A |
| N/A | N/A | C:\Windows\System\iDcDcsJ.exe | N/A |
| N/A | N/A | C:\Windows\System\vaVfUXz.exe | N/A |
| N/A | N/A | C:\Windows\System\JOywBql.exe | N/A |
| N/A | N/A | C:\Windows\System\GSeZMDS.exe | N/A |
| N/A | N/A | C:\Windows\System\SWzHZpE.exe | N/A |
| N/A | N/A | C:\Windows\System\WKmqmGF.exe | N/A |
| N/A | N/A | C:\Windows\System\PJTVrXP.exe | N/A |
| N/A | N/A | C:\Windows\System\KXcVSON.exe | N/A |
| N/A | N/A | C:\Windows\System\vMQZvbU.exe | N/A |
| N/A | N/A | C:\Windows\System\TEEQvCl.exe | N/A |
| N/A | N/A | C:\Windows\System\EIYjneA.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\OkYKAza.exe
C:\Windows\System\OkYKAza.exe
C:\Windows\System\zubfBXq.exe
C:\Windows\System\zubfBXq.exe
C:\Windows\System\EQKNDQw.exe
C:\Windows\System\EQKNDQw.exe
C:\Windows\System\HgnpwOc.exe
C:\Windows\System\HgnpwOc.exe
C:\Windows\System\SqJjBOA.exe
C:\Windows\System\SqJjBOA.exe
C:\Windows\System\OyNokrd.exe
C:\Windows\System\OyNokrd.exe
C:\Windows\System\haJhwgw.exe
C:\Windows\System\haJhwgw.exe
C:\Windows\System\QFcUbtW.exe
C:\Windows\System\QFcUbtW.exe
C:\Windows\System\THpORPe.exe
C:\Windows\System\THpORPe.exe
C:\Windows\System\aHxjHMd.exe
C:\Windows\System\aHxjHMd.exe
C:\Windows\System\iDcDcsJ.exe
C:\Windows\System\iDcDcsJ.exe
C:\Windows\System\vaVfUXz.exe
C:\Windows\System\vaVfUXz.exe
C:\Windows\System\JOywBql.exe
C:\Windows\System\JOywBql.exe
C:\Windows\System\GSeZMDS.exe
C:\Windows\System\GSeZMDS.exe
C:\Windows\System\SWzHZpE.exe
C:\Windows\System\SWzHZpE.exe
C:\Windows\System\WKmqmGF.exe
C:\Windows\System\WKmqmGF.exe
C:\Windows\System\PJTVrXP.exe
C:\Windows\System\PJTVrXP.exe
C:\Windows\System\KXcVSON.exe
C:\Windows\System\KXcVSON.exe
C:\Windows\System\vMQZvbU.exe
C:\Windows\System\vMQZvbU.exe
C:\Windows\System\TEEQvCl.exe
C:\Windows\System\TEEQvCl.exe
C:\Windows\System\EIYjneA.exe
C:\Windows\System\EIYjneA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2728-0-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2728-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\OkYKAza.exe
| MD5 | 233ff2b1c4422a085e57f30b6d9695d5 |
| SHA1 | 924ef9829f86ecd54c5fff14c53c8076f3b08e35 |
| SHA256 | 0a3f7153066d440b68140f0649262f0e17251072ea6e0c43d9cdf5c3f3e33423 |
| SHA512 | c8aaaa9fa5d3a2e198795dededaf8b0caaee411496b3db0e1d1ae7140232fcaf3903601b55543c6b05ee499b001c774bc91ee3b170b8f46f14eef4c18f84bcdc |
C:\Windows\system\zubfBXq.exe
| MD5 | b90a3596885910319cf7007586edacab |
| SHA1 | e04ef68c85b127187fafd6047f434dc889e50785 |
| SHA256 | 2c462ea23c2dc130bb9e4caf6a583ce998f240b3e30103d2403926c6f4dc765b |
| SHA512 | 55caacbb93b956c949506438694a7aa8b9f74f31dd3ae0d6ee26f4d032d9ac5960831c888829ae657da51147d814ee37303dc0a5884525bbea1a0d70d5f6c0ab |
\Windows\system\EQKNDQw.exe
| MD5 | 62c2064ac519f373e0547b186b899dd4 |
| SHA1 | 1982a73f64883d43c931713e45f4d3d1c0c5e285 |
| SHA256 | 79a840c19e4c479b696a4b16689b0c9fb7f3cc27241bcbdd3582d5788aade733 |
| SHA512 | 26c2b5f32db85fc262a743aa5ac18bee7fc93eb642a6bb851186c17e4ba5b2f68a8ce79b847a0db5a42167d8c682fd2544d97f8144a437b7b86e259d6a814f6b |
C:\Windows\system\SqJjBOA.exe
| MD5 | 0b76febe5636765c9971faef0b4b0f03 |
| SHA1 | ee8645a3526551a8735d8fb12cabc66fcc82ccef |
| SHA256 | 0bd1ac679b12455f26f95325dc81f5162849515bcd51ed142d4559abe550ae31 |
| SHA512 | ba66556a34f019f191d0ef2dbd9b51c543c7a5ccea76d9ea196232fe0ff543d08588ff25780e8bb497c8a2588b1c244cca84f4138719d82ba6925cc2503fd175 |
C:\Windows\system\OyNokrd.exe
| MD5 | 73be8c2f26d71e0c7afdc55ee48b5f78 |
| SHA1 | fee282b73af9e4ba249cc9f426672e5518ed87d7 |
| SHA256 | a05feb84061a07a58b7bb2b21708c969ff95afcec0ebba62c098312f70c5e60d |
| SHA512 | 92fc61d012c9cd45b025bf33201fa7b204f05f153f249fd25613d7eecaaf810f41c16448be9da3f84eb364b2fe4af336c1d9575a819b926589d108737c55fe3f |
\Windows\system\SqJjBOA.exe
| MD5 | ae299a912f06dcbeb580698322674f8a |
| SHA1 | a18fc229671d0b83eabfcbca60d78c856493a908 |
| SHA256 | b8a80128665bc391dc03eaa699ae53a7129846701e7ecad3ddb3a630c2a8791e |
| SHA512 | 6b5a732c41fb06c2aa5494a972b131f887b02704e0e8c5c43627475d65191699d0bb0e9aeaf7dedaa2ac303920b25e7a048dd21c5239a3411681fb60d41eae2c |
C:\Windows\system\QFcUbtW.exe
| MD5 | 38b9e8530c0bbd55b6a9bdaac3ba36a1 |
| SHA1 | d1c887766eae8d5b5092a28391306dc1ac5057a2 |
| SHA256 | a81eee667943818621bb822afd7065cd26b0d0a183f02725bca778e9d4764744 |
| SHA512 | e1ba304c51bab9bf8db7f8d1d16d0136afdd0c35533cf4fc5abfc53b63071a0a5626a2f6eed64b0a37dd9e232497170a3742c3c1ac1f398b4c0b168c2c1eec93 |
C:\Windows\system\THpORPe.exe
| MD5 | 79e79b218fc4a09c72afdc15f5394da6 |
| SHA1 | 9478cdebd8a8f6f724000c41cc87a1bb45e7ffa5 |
| SHA256 | 0b94d3b73425c4bfe34a33adb04c04210bb9861c378ac38a0e45cf09d0154ad0 |
| SHA512 | 774c49984f43957ef23049cd77ce3eefea0f7819080fa75c065ebfcc1433accdd97ce25d6b06b4971df8c60bf60edcce4ddaa1ef2c7b0095f3968ada8215e74a |
C:\Windows\system\aHxjHMd.exe
| MD5 | 844c0fa46ea0cfb4022abfdf14079b21 |
| SHA1 | edbb342a9a3a993eaccc32e9f9e700e85c046bc4 |
| SHA256 | fa63aa41de07488fb73856b8c9f1f0b1d8f59bc50bd69adc03f1ae12f393ab7e |
| SHA512 | 53fc9755c63cef098510008f4d4b8e7e776a8a0325152b61acb813b436bf08335612f4e7c376a3c386a36df98ac80116bbb56adcaba50eef3d5a47565c7e7e4c |
C:\Windows\system\vaVfUXz.exe
| MD5 | 8132afdf6ba6f3a0dcaf374f8f5c8884 |
| SHA1 | dafd4e7f5d0d2836f1a68f4f8e5b02205776cdbd |
| SHA256 | b8db033a1a3a9a978a888dce1abb0574b7923333782a94122b37bfebf4ce76a5 |
| SHA512 | a353faaaf4c0f282cf79f264929d3ccca6a0b1234e85dc95b8ed5072b76c0369553b6c6aa3066d5718fa1b1655873efa356de83bfd3d53ee95cfcb021b334a4a |
C:\Windows\system\WKmqmGF.exe
| MD5 | b840d300f979298ed60312dfa792218c |
| SHA1 | 72de6ae64b4ac964354871bd167d27a093a1189f |
| SHA256 | 151388c47b8cb8bd68366c1d5edb6dd05ce7373a23a16fd233a70196c69b0a66 |
| SHA512 | 5d51dbc0aaec75631cd761ec91b5834ed4ddff8dc7201e1cd061bc082911ddc6f1e632529b23f8a5bd16e2c206c70538a37909c9d890128da8e46c49f8124b4c |
C:\Windows\system\TEEQvCl.exe
| MD5 | a95b1f66bd1e287db4c6a5907af86191 |
| SHA1 | ff5d14012e53dde623fc7c33ab0d5f4070e5caac |
| SHA256 | 3f0a31230a3410f866efebf00ad83cd12c528469e67cda1e82d4d10a3775c9cd |
| SHA512 | cf227259700c8618028e473287cd834813becabd733139a3e37582763954f12605b0a2ceed2f1355627afbc98cb344bf8ee60b2f823c2562d825e9b873e3f188 |
C:\Windows\system\EIYjneA.exe
| MD5 | be8445e58b85acfc6b6376328f4d73ed |
| SHA1 | 724b658d73025abee6420a27dbb96a01b44dc66e |
| SHA256 | 5b0e565e1f7db65aab867182e0d70fa37c20c64ef853c4101dfe055e8ff64a6b |
| SHA512 | 939398c43ed78608253a7c58727b06a0a5c4477db764fc6fa9825cd64fed776b1c2e00e37fe04884c4b67a91b290bee64be16caf95035e944ff64fc67b604ef1 |
C:\Windows\system\vMQZvbU.exe
| MD5 | 819db79300aeda5a7ae7ffc659140e65 |
| SHA1 | 1d07432c563b4a946c684131fc8ce98c5d9b9637 |
| SHA256 | cb6c57db3e97fbe63a20ebf2b67f2d500fd8d27f5ca654289d504232e94f473f |
| SHA512 | 73265aa0fdaa5f30f8a548f7a498cd8c5dc71b127d230df29ee0fb63408d89366533fd3fce09b643cfcb88bda3ab3814bc297c2e277e3e9aa955d14c3ed91a92 |
C:\Windows\system\KXcVSON.exe
| MD5 | 8fb9c53ffbd820480c60399f93d5708e |
| SHA1 | 3db588b4fee1aa9e61fd77a0ac9ae95e6c79a3bf |
| SHA256 | 68ea5f7c9e89961967b2dc246a44898a6b1f82c57ef8906e2503fb524d1f716c |
| SHA512 | fb68ad990a9895996e812ce7e425efd388c414b6bb8981e67e27baa68895d18911e9ffdcdc46e65195e7da7c857ed566efe4fdf6557a331ebe63d08432e70e2f |
C:\Windows\system\PJTVrXP.exe
| MD5 | 7bc4e3216d1cfb4956cc890c42fcfa4b |
| SHA1 | 8f18f9681cbddb73aa5953c361302236c4f9099b |
| SHA256 | 61bbcbc34f6e1331cd03266b3f373cdaba9bfc4f436902264c4fbc989370a6c9 |
| SHA512 | 593e2dc41a710ae401b040ea8732c8a34c1a83f68533ced5e905fd8a6602687eeb6fc174e3445da348a1f98a93bee722fdb0a8847111b04317b07411792b7c20 |
C:\Windows\system\SWzHZpE.exe
| MD5 | 9191b21a57ee67835878f7135bf158bc |
| SHA1 | 0d5b9f39f284fab6607278e8865b8bdffa4c0a94 |
| SHA256 | ed766b6ccec797b0e1dbce8cdc6c85d3be6a19935e8f9eb0584d6c664ca89c05 |
| SHA512 | 79c929d0e501351248ae84b73232a7b736294d042ea40a1e513d9750b0678c792ce0e39dd2cd0b50ee45d05fed194b8cd1cfb7c2909cc9667dc19aaaa533c465 |
C:\Windows\system\GSeZMDS.exe
| MD5 | 18027a34e1cca8dd8fea62ace5f292b1 |
| SHA1 | 5244244ba4a86e5765d5dc8507fc7bd9c5f277fa |
| SHA256 | 685e47f22e1f8ac89a3864f750ac09df2e26bd3a025bdc61eb4ee994ef9ba0c1 |
| SHA512 | 7dee6a81c7c89afd2a8fb54dd8766e00ca887513be8329e468c1cc2b8384313718ca841052ec2df7862c1e9e080b7c13ab1a78fece45cd0403877245dba74196 |
C:\Windows\system\JOywBql.exe
| MD5 | c3936ef2695de9448215f166b3e5c3c5 |
| SHA1 | 7345aa17171c41ec04af3fa6b7b0efa4fe51b312 |
| SHA256 | 6e1cac630a68b0088a1e53a879e55890a971a67c84c51b9ae393e66b00d26673 |
| SHA512 | 44de4818fff9089bd78332ff09be0c8c9418464ed554949cda4f5ed6967d0bee940b098724a52a6c50d339075235bd97af3db668d645826283fece162d3b3732 |
memory/2752-66-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2728-65-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2656-64-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/3020-63-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2728-62-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2688-58-0x000000013FF80000-0x00000001402D4000-memory.dmp
C:\Windows\system\iDcDcsJ.exe
| MD5 | 74efd91927b39d7c3a2f1be6872dacb3 |
| SHA1 | b6db33cd956cd3261ec25a34e9312225e0be151c |
| SHA256 | c8f0d53f2a6c5e1fb733004bfd4c6070cbc86d951e7c97971956f1e2358a080c |
| SHA512 | 64536130798c0c625970a533685131c8b15a48888816847cae47aa9138f2a663ce9f4f6c5aa87ea21d7b504995820dad07f5a69d3a72f4b7ccef75591f494964 |
C:\Windows\system\haJhwgw.exe
| MD5 | 4d394294b57446dd2062fe620936b5a6 |
| SHA1 | 17505696e16b940e93ec337e24db1a97884038c4 |
| SHA256 | 3c72a709221e1ba61273fee9475e5ddeaad0f5b8ac2c0a63c4597602ba102e01 |
| SHA512 | 1ae2aa5e023b7968d284fd7827988f81af02eaa673a63dcfced53030cc83ea37845af715a4852ecdbd66fc45cb8a75da4fec8f4fe4d0c5f591e3a201c59c9d74 |
memory/2728-16-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
C:\Windows\system\HgnpwOc.exe
| MD5 | bc5e5f9ab9bedde86913f9287383e1af |
| SHA1 | e122fb79c082ef8f7fbf43dcdf4651a1a5b907d6 |
| SHA256 | b2109f5e7c3bfc0491840cd35e374888b7432d01c9bee459a7fcfa9a91391fad |
| SHA512 | 5f8895ea9f4396435863d9f78525373918f483e90f4e0dbaf72fcb521a309630a531c805a8667b6362211b3fe4ad99558ffd4c6b8da05ef578a3e9756f60cb87 |
memory/2540-19-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2536-116-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2728-117-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2728-115-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2728-121-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2304-124-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2728-126-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2032-128-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2736-127-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2628-125-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2552-129-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2452-122-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2728-123-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2396-120-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2728-119-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2716-118-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2728-130-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2728-131-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2656-132-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2540-134-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2032-133-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2688-135-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2552-137-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/3020-136-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2452-139-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2752-140-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2716-138-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2628-141-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2304-144-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2536-146-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2736-145-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2396-143-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2656-142-0x000000013FD10000-0x0000000140064000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 01:44
Reported
2024-06-01 01:47
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UwUdlBL.exe | N/A |
| N/A | N/A | C:\Windows\System\oUOnFiU.exe | N/A |
| N/A | N/A | C:\Windows\System\OzNXdlD.exe | N/A |
| N/A | N/A | C:\Windows\System\PoDKeZH.exe | N/A |
| N/A | N/A | C:\Windows\System\yADZsVp.exe | N/A |
| N/A | N/A | C:\Windows\System\aZXQUHB.exe | N/A |
| N/A | N/A | C:\Windows\System\AwEBgDH.exe | N/A |
| N/A | N/A | C:\Windows\System\BbzUVFV.exe | N/A |
| N/A | N/A | C:\Windows\System\PcYteHi.exe | N/A |
| N/A | N/A | C:\Windows\System\GJgAZUi.exe | N/A |
| N/A | N/A | C:\Windows\System\baosKaz.exe | N/A |
| N/A | N/A | C:\Windows\System\nbNDogY.exe | N/A |
| N/A | N/A | C:\Windows\System\VfmTyJR.exe | N/A |
| N/A | N/A | C:\Windows\System\KdpiYGC.exe | N/A |
| N/A | N/A | C:\Windows\System\PbUuXKP.exe | N/A |
| N/A | N/A | C:\Windows\System\wOHyIYL.exe | N/A |
| N/A | N/A | C:\Windows\System\xKmvrWa.exe | N/A |
| N/A | N/A | C:\Windows\System\MYeVjDY.exe | N/A |
| N/A | N/A | C:\Windows\System\aTQrcNK.exe | N/A |
| N/A | N/A | C:\Windows\System\phUQgvv.exe | N/A |
| N/A | N/A | C:\Windows\System\bvndusq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e77bd42bd11dc83991453c84c2f5087_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UwUdlBL.exe
C:\Windows\System\UwUdlBL.exe
C:\Windows\System\oUOnFiU.exe
C:\Windows\System\oUOnFiU.exe
C:\Windows\System\OzNXdlD.exe
C:\Windows\System\OzNXdlD.exe
C:\Windows\System\PoDKeZH.exe
C:\Windows\System\PoDKeZH.exe
C:\Windows\System\yADZsVp.exe
C:\Windows\System\yADZsVp.exe
C:\Windows\System\aZXQUHB.exe
C:\Windows\System\aZXQUHB.exe
C:\Windows\System\AwEBgDH.exe
C:\Windows\System\AwEBgDH.exe
C:\Windows\System\BbzUVFV.exe
C:\Windows\System\BbzUVFV.exe
C:\Windows\System\PcYteHi.exe
C:\Windows\System\PcYteHi.exe
C:\Windows\System\GJgAZUi.exe
C:\Windows\System\GJgAZUi.exe
C:\Windows\System\baosKaz.exe
C:\Windows\System\baosKaz.exe
C:\Windows\System\nbNDogY.exe
C:\Windows\System\nbNDogY.exe
C:\Windows\System\VfmTyJR.exe
C:\Windows\System\VfmTyJR.exe
C:\Windows\System\KdpiYGC.exe
C:\Windows\System\KdpiYGC.exe
C:\Windows\System\PbUuXKP.exe
C:\Windows\System\PbUuXKP.exe
C:\Windows\System\wOHyIYL.exe
C:\Windows\System\wOHyIYL.exe
C:\Windows\System\xKmvrWa.exe
C:\Windows\System\xKmvrWa.exe
C:\Windows\System\MYeVjDY.exe
C:\Windows\System\MYeVjDY.exe
C:\Windows\System\aTQrcNK.exe
C:\Windows\System\aTQrcNK.exe
C:\Windows\System\phUQgvv.exe
C:\Windows\System\phUQgvv.exe
C:\Windows\System\bvndusq.exe
C:\Windows\System\bvndusq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/4992-0-0x00007FF704450000-0x00007FF7047A4000-memory.dmp
memory/4992-1-0x00000265E90D0000-0x00000265E90E0000-memory.dmp
C:\Windows\System\UwUdlBL.exe
| MD5 | b047e197ce7245bd1857fdcf658d492b |
| SHA1 | 4104b00a77a8981cc7252d5249c79aad45250e41 |
| SHA256 | e767f1f3b9ee36157497cc6eafca28ff1cbbc85d3fe7d0e5912c049b7d2e17b4 |
| SHA512 | db128f844ce2b8f80e23ab73081867529c3f849be657f33e24bb26e16628221e23df03c4acb3872588c27d3bd079449c2d6ddc40f3a166ce143ffe95f3d8ec70 |
memory/5044-6-0x00007FF7F87E0000-0x00007FF7F8B34000-memory.dmp
C:\Windows\System\OzNXdlD.exe
| MD5 | 42de3d3330cc0b12bfb43701727d1669 |
| SHA1 | a2fef3de61e9271178c5ea21b0c552a4ab8759e1 |
| SHA256 | ba951c90dd9ef7ea9594fadcc2c15f59ccd2e550f89cd33665aeb9dd8c711a13 |
| SHA512 | 31373b4868b94ad7538dcbb01434985691464b96e713d8443d108c355a6a5b405715ceba05c1ac9b32ef47055b869e93b3e1476b20ab8cea281f8a7b9c9f0158 |
memory/2872-19-0x00007FF6FD8C0000-0x00007FF6FDC14000-memory.dmp
C:\Windows\System\PoDKeZH.exe
| MD5 | d067f7b588b287bbc8810e593d014edf |
| SHA1 | b559af0ed7b656bbb6e0246a561e16ecd324a4d9 |
| SHA256 | cf19f198763c6ecac92879185e692bdda1a6d8154da40939e50cdb4f0ab03054 |
| SHA512 | e81f6f74fd230f3bae7794692ab7806a51aa738207a4c23870576dce397e7f189b48f344dc2b677b165ae47ac4bd2ae4b3e8fd3430a8cda94b5b8fc20e59f2a9 |
C:\Windows\System\yADZsVp.exe
| MD5 | 1ed0a5bedebd4d28d710b13883f5242c |
| SHA1 | 52aa7dc3649838b88eaa7f78b320ab03e537ecdb |
| SHA256 | 8d33432f71e307971a77616ee611d494064d9c2a66f14eb9e81f8ce713614783 |
| SHA512 | e359a2e2a9ae9609b6a6314cbd76d7ad39e9a36c56acc08c2395cd18d38cd67bcbb1c9b57247334281ec444c42337105a24381ca10d584e3b7adb7ae14fc4409 |
C:\Windows\System\AwEBgDH.exe
| MD5 | d193a9dd77d8106abda5cf16cb3f13ec |
| SHA1 | e15844500366bda194e9268af99df19ac9f1a7ae |
| SHA256 | 5de3de879c5b360128316b2c521069035a9634aca54d9c52f08ae4765693bab0 |
| SHA512 | 5e3c82b6f8fb236186b10d101084d890e4858cb78bb86edc6ce40fbe7c783133991a97d79da667f0fb9cec4f1d27c769fd939444cccb06ee70597b1cadf28feb |
memory/1368-42-0x00007FF73EEF0000-0x00007FF73F244000-memory.dmp
memory/2824-40-0x00007FF7ACFA0000-0x00007FF7AD2F4000-memory.dmp
C:\Windows\System\aZXQUHB.exe
| MD5 | 0c3a4ed8d41cbbcdc02f9d32c4d7f9dd |
| SHA1 | 98d1f440329fc8f60dbfe4ea2875b407dfc81d20 |
| SHA256 | e20bd2ec8eed5411ef12eaf06ed850e623dd706b6cba45ae955ca3a2db2a015f |
| SHA512 | 0bb7cc94fcef98d1b2655305e8b88989d15ee65cdafef1207e5be6cf78917e2275c3b66398290fbc3ef6496579834e88a80bf126ef3472b3b5f21ed57d5375af |
memory/2228-34-0x00007FF6D0AB0000-0x00007FF6D0E04000-memory.dmp
memory/928-26-0x00007FF75C920000-0x00007FF75CC74000-memory.dmp
memory/1236-14-0x00007FF77D980000-0x00007FF77DCD4000-memory.dmp
C:\Windows\System\BbzUVFV.exe
| MD5 | 8833c3971a738e1d0423ebc019fa10bf |
| SHA1 | 32130decb23beea1d880a0928066ed96177e9b13 |
| SHA256 | 9f829f1bbc20689cc578facb8a874fb9af5c183eb392a815c713e51a2d0fc3f5 |
| SHA512 | 33c27b847b14be4ae9dfb6cce060656fa14308ca49c2236d8d36a21ba4c779614c2478ad553f635a783d9580ea7ba9e1430f5ac55d638f8657b4dde42de59f47 |
C:\Windows\System\PcYteHi.exe
| MD5 | 2aaeed5ea7375ec62d5bcbcf737497e6 |
| SHA1 | 7dd3ee77775b2fafaa2c2692c7549c5c5abe4406 |
| SHA256 | a1f69ee6d7e32814d94397b3fb4fc37002275942347636600216fa594119088f |
| SHA512 | 07d4e93e68cced11b491f2fbebaf6062566b187538cc1b4ee0bcb2b3cff23145584dc75ecad24f3f004bb1cd69eea9cd5b58c18dd3dd2f2bbc614e51b91aa5a9 |
memory/988-51-0x00007FF60A820000-0x00007FF60AB74000-memory.dmp
C:\Windows\System\baosKaz.exe
| MD5 | e740fd13fcc5beb486e5e18c9445b54f |
| SHA1 | aa690345325ae5a6dea07e9b013b45d44a7dbb2a |
| SHA256 | 562a0d4a5e2a8ee07e692f8addd65379db35d1edcf5df5be70ea0befea633451 |
| SHA512 | d645986a69c71897c9c46674d0f117ad2bdc35c7706965c90cffe5c96cba1f744e3b423a2f07d102a6b85a42213dadd9c9a3303fff1b4a11716dca2b4b78bca0 |
C:\Windows\System\nbNDogY.exe
| MD5 | 282acfad684ea72e3ab894e20c8343c6 |
| SHA1 | b107fc69f4099fbc63e96fc50ffb5ea7f1041aec |
| SHA256 | 5ef949f534ba893f09c9e9c846e560befa5784581bc0ba6d8114c8b254aad833 |
| SHA512 | 8d9ce659a36c4a624f1442faf6747b340ff968ea8a27f5b2ef2247da2aaecb598657d153d9b2b1c8b2f6c20aa059335472efed29321fde3e6632f801776b21ec |
memory/768-74-0x00007FF7348E0000-0x00007FF734C34000-memory.dmp
C:\Windows\System\VfmTyJR.exe
| MD5 | eeb45b12e8da0d14454851fdbab5bf4d |
| SHA1 | ffbc480ba7f1e07d8d69859632033afe2642e18b |
| SHA256 | d6056a1ac74ebc66b26904414fdbac9bb22891c3a0b10d70f1f2aeac777a98b2 |
| SHA512 | a44757a3a1bb025aa8230a69568bc2dd331baf886347299148ece81fccd884f4a8be81982d42f83bcdb20e78c26d59d30c017730ef18f98c7a38a338c0911632 |
memory/2872-95-0x00007FF6FD8C0000-0x00007FF6FDC14000-memory.dmp
memory/1732-98-0x00007FF6739A0000-0x00007FF673CF4000-memory.dmp
memory/1508-99-0x00007FF62F9A0000-0x00007FF62FCF4000-memory.dmp
C:\Windows\System\wOHyIYL.exe
| MD5 | 79d83db6e495e5fb3f9fefb54fe892c4 |
| SHA1 | af459028ff8bb113589585da08c34723dec1ce6a |
| SHA256 | b813b1c544094f3d211faa5f6b32b0118c37ea09ce9d1ea888afc96238d2674b |
| SHA512 | abc1f0ee428decd09b7b40cad9bc5d17898d2b5d92c5cab7180381b086b63b56372d3a3cb81ed990ed369f2ddb6b0fbc1f43f0a19061d8d83b0b60cd96dbbbe6 |
C:\Windows\System\MYeVjDY.exe
| MD5 | cb6d552efb2248fec6ecf5f665c86e3e |
| SHA1 | 08d68f912d05edb18127ae0b87e528c9f8154fc8 |
| SHA256 | ccebc7fc5d32a9fb276d2b27b385a225bbf2152c3ae9416c56862ffb49abc0c4 |
| SHA512 | 2ac09f79e71cf42fd5cf319092569820c88eaeddbe1d937a3de99e2762527981218e407ec5d6c18ba14ceb9241ea90537b094be738d9ec67048322531c325ed6 |
C:\Windows\System\phUQgvv.exe
| MD5 | 07c8c687f192ed24228f52fd83c1a257 |
| SHA1 | 50bc12fcc24769e5b20f52df000993ce3b13679a |
| SHA256 | b54f8cfe3b66cc502ff8d33cfa071cfc458884bdc0fed329c1c714ee385e9d73 |
| SHA512 | 34bdf10702f42da8700df2bef6cb8858abfd40166de542e971115bd46faa6fec8bae63a353e85b67ead67f4fc6efda5f455bdf5dd280b8a981d9ba62bb59d8f8 |
C:\Windows\System\bvndusq.exe
| MD5 | 15655c5b57a07ebe6e4a159e1683ac3f |
| SHA1 | 8ad898f5b99be11fc0f2f23cd7f108e53ee3770b |
| SHA256 | 9ae01dd438f7b7fbd3aff8f75b8d6e1947f86efd9c5c9214c120973c82bc95b4 |
| SHA512 | a44c09d29aff9850b92752f3322ca0500dbc90b4fb3c77371df804132555af4914a97d2743fcdc8dde69fe39063f8626c07d3f430d1b38824488e2173223236e |
C:\Windows\System\aTQrcNK.exe
| MD5 | 5065783677d4eeb978e232de0672ef74 |
| SHA1 | 7d2ef57d5ed4a97a47a32d8c753e3e7a0ae9563f |
| SHA256 | b76dcae1e487030ddfbb7c7236b9ff8303dc40a01c6bd92b9bd979db5c90be83 |
| SHA512 | f88577071f469d4d5f02afd6d046a0d70605605ed1525eb3954db776ebae2e097208c9a2186a12983580318502648b1b901a70891500bfa25e4dcc7b0c3ed575 |
C:\Windows\System\xKmvrWa.exe
| MD5 | b6cdd2101ca50de46661e5a5f4c1ace7 |
| SHA1 | 50ff164e55b0406ef71de223347e396a047cef5f |
| SHA256 | 03ba3f138645a31b6f883c963558920bcd3f4312c2804e78948b3692de3341e4 |
| SHA512 | 4f8eedf8ddf421eaacf97c2fe5a1092d3ab843e52cb5fbef4b12e93730d2b58be5570ed71b69ce55c1e38c15bbe0af3fabafdd43dbce69772ee6707c9714b41d |
memory/4492-102-0x00007FF747F30000-0x00007FF748284000-memory.dmp
memory/3056-96-0x00007FF7F0A50000-0x00007FF7F0DA4000-memory.dmp
C:\Windows\System\PbUuXKP.exe
| MD5 | 75b47ed7ebacb17744e864b4890668a5 |
| SHA1 | bdee6570dfe1798b6ff8188ff91e3d3cea7983f9 |
| SHA256 | 505b9a3bb2dae54b91f94a3f012e547be58938472accb4729bc247755799cea5 |
| SHA512 | d8421e862b1f429ac28d7bcb3b0a2f0c880633968daf51ca87af925beb635f733f35b46c86a01e17cd32603dfc6cc9aba5f0a16382a7cbecf9fd3d0249a7eba0 |
C:\Windows\System\KdpiYGC.exe
| MD5 | 177ca6fb2ee579a76d4ae51fead1fae4 |
| SHA1 | c2a9dc35999d72ec53f1f8263081f3d0874835a9 |
| SHA256 | adaf1e33d7039a66d2a3f94c4145bb87d30f23288a39ab98c28451615d4aa45a |
| SHA512 | 716b796a9b80a800b77f4be9d181a325dead2877fcfaefdaa0d1c6d32a9f63b3739a2c4cd828560ecb2edfa5523b62050654e8f7a5d33d5882328bd1a298fe47 |
memory/1236-77-0x00007FF77D980000-0x00007FF77DCD4000-memory.dmp
memory/5044-73-0x00007FF7F87E0000-0x00007FF7F8B34000-memory.dmp
memory/3240-72-0x00007FF77FF50000-0x00007FF7802A4000-memory.dmp
memory/5084-66-0x00007FF72E520000-0x00007FF72E874000-memory.dmp
memory/4992-65-0x00007FF704450000-0x00007FF7047A4000-memory.dmp
memory/4964-61-0x00007FF743040000-0x00007FF743394000-memory.dmp
C:\Windows\System\GJgAZUi.exe
| MD5 | 49bc02431c2a7e46ce2cbbab830c7adf |
| SHA1 | 5ada9c583bb2a0571d699f92776cbd0c9c51bd8f |
| SHA256 | 6ee5099e701e8308456f1c213859db22ec87b1cbce606f1ac7aac6c3fd568851 |
| SHA512 | 9efc9c82264452a6990ebca0984155a6d3eda04cd74fea8592126150aade08f59e983ba76f61d0cb30d9494efac3165fdb948573d312a9238a2fd6c7533f3534 |
C:\Windows\System\oUOnFiU.exe
| MD5 | c10406928201ed0759e534eb85146ce0 |
| SHA1 | 600e50531e606c73113667d1e29967c4e1087642 |
| SHA256 | 3a2050c919924317c666f651b84475dd4b90d349ff0ac8dcfd0764c16a064efc |
| SHA512 | 04cd4db5ba25e4c0f5eec2d310a1c210c52b23d25335395d8adfd59bee2859d4d8cd49ebd08cfd8d4d61b0fb0f5c442e82c39a5b5b9ce80000f0aa9ce55480e1 |
memory/928-127-0x00007FF75C920000-0x00007FF75CC74000-memory.dmp
memory/1556-129-0x00007FF77F500000-0x00007FF77F854000-memory.dmp
memory/2568-132-0x00007FF745A50000-0x00007FF745DA4000-memory.dmp
memory/3324-131-0x00007FF6BFB70000-0x00007FF6BFEC4000-memory.dmp
memory/4880-130-0x00007FF739BD0000-0x00007FF739F24000-memory.dmp
memory/4616-128-0x00007FF73C270000-0x00007FF73C5C4000-memory.dmp
memory/2824-133-0x00007FF7ACFA0000-0x00007FF7AD2F4000-memory.dmp
memory/1368-134-0x00007FF73EEF0000-0x00007FF73F244000-memory.dmp
memory/3240-135-0x00007FF77FF50000-0x00007FF7802A4000-memory.dmp
memory/768-136-0x00007FF7348E0000-0x00007FF734C34000-memory.dmp
memory/4492-137-0x00007FF747F30000-0x00007FF748284000-memory.dmp
memory/5044-138-0x00007FF7F87E0000-0x00007FF7F8B34000-memory.dmp
memory/1236-139-0x00007FF77D980000-0x00007FF77DCD4000-memory.dmp
memory/2872-140-0x00007FF6FD8C0000-0x00007FF6FDC14000-memory.dmp
memory/928-141-0x00007FF75C920000-0x00007FF75CC74000-memory.dmp
memory/2228-142-0x00007FF6D0AB0000-0x00007FF6D0E04000-memory.dmp
memory/1368-144-0x00007FF73EEF0000-0x00007FF73F244000-memory.dmp
memory/2824-143-0x00007FF7ACFA0000-0x00007FF7AD2F4000-memory.dmp
memory/988-145-0x00007FF60A820000-0x00007FF60AB74000-memory.dmp
memory/4964-146-0x00007FF743040000-0x00007FF743394000-memory.dmp
memory/5084-147-0x00007FF72E520000-0x00007FF72E874000-memory.dmp
memory/3240-148-0x00007FF77FF50000-0x00007FF7802A4000-memory.dmp
memory/768-149-0x00007FF7348E0000-0x00007FF734C34000-memory.dmp
memory/3056-150-0x00007FF7F0A50000-0x00007FF7F0DA4000-memory.dmp
memory/1508-152-0x00007FF62F9A0000-0x00007FF62FCF4000-memory.dmp
memory/1732-151-0x00007FF6739A0000-0x00007FF673CF4000-memory.dmp
memory/4492-153-0x00007FF747F30000-0x00007FF748284000-memory.dmp
memory/4616-154-0x00007FF73C270000-0x00007FF73C5C4000-memory.dmp
memory/1556-155-0x00007FF77F500000-0x00007FF77F854000-memory.dmp
memory/4880-156-0x00007FF739BD0000-0x00007FF739F24000-memory.dmp
memory/3324-158-0x00007FF6BFB70000-0x00007FF6BFEC4000-memory.dmp
memory/2568-157-0x00007FF745A50000-0x00007FF745DA4000-memory.dmp